Data Protection Laws and Transfer Impact Assessments in Hong Kong
Hong Kong is well positioned to become a regional data centre hub, with a free and open economy, low tax rate, high level of ICT infrastructure and a large pool of mobile, agile and skilled ICT professionals. This, plus a long history of data protection and the country’s strict laws on how personal information is collected and used, make for a very appealing environment for companies to operate.
The country’s strict data protection laws are based on international standards, and the office of the Privacy Commissioner for Personal Data (PCPD) encourages and enforces compliance with them. Its rules cover six key elements, such as requiring that a person’s data is not transferred to another without their explicit consent.
However, it’s important to note that the PCPD has not formally extended its jurisdictional scope beyond Hong Kong, unlike some other data privacy regimes which have conferred extra-territorial effect. Instead, the law is limited to those whose operations control the collection, holding, processing or use of personal data in Hong Kong. This includes the “single point of control” test, which is the most common basis for a transfer impact assessment.
As a result, many companies are compelled to conduct a transfer impact assessment before sending personal data outside Hong Kong. This helps them adhere to national or international laws, reduce the risk of violations that could lead to compensation claims in local jurisdictions and maintain a competitive advantage over their rivals.
In fact, a growing number of businesses are required to undertake a transfer impact assessment under the law due to the increasing volume of cross-border transfers with mainland China under the One Country, Two Systems principle. These flows are expected to increase further as business and social life becomes increasingly integrated with the rest of the world.
The PDPO also requires that a data user, when transferring their personal data abroad, obtain the voluntary and express consent of the person whose data is being transferred. Additionally, they are not permitted to transfer the data for a purpose that was not previously specified in their PICS.
Finally, the PDPO prohibits anyone from “doxxing” personal information by publicly disclosing it in ways that reveal a person’s identity without their permission. The PDPO defines this to include “disclosing in a public place personal information which identifies the person.”
It’s worth noting that while the Hong Kong definition of personal data is fairly broad, it has not been updated since the PDPO was first enacted in 1996. As such, the wording may not be fully in line with the wording in other legislation – particularly the Personal Information Protection Law that applies in mainland China and the General Data Protection Regulation that applies in the EU – which have updated the meaning of personal data to encompass a more narrow range of items.